1. Field of the Invention
The present invention relates to cryptographic techniques, and more particularly to a method for implementing certificate issuing protocols that can be blinded only restrictively even when the issuing is performed in parallel mode.
2. Description of the Prior Art
Two basic types of certificates can be distinguished, public-key certificates and secret-key certificates. A public-key certificate is a digital signature of an issuer herein called a Certification Authority, on a public key. The other basic type, secret-key certificates, is described and claimed in patent application Ser. No. 08/321,855, filed Oct. 14, 1994, now U.S. Pat. No. 5,606,617. As with public-key certificates, triples consisting of a secret key, a corresponding public key and a secret-key certificate on the public key can only be retrieved by engaging in an issuing protocol with the Certification Authority. The difference with public-key certificates is that pairs consisting of a public key and a secret-key certificate on the public key can be generated by anyone.
Many signature transporting mechanisms require a Certification Authority to issue triples, consisting of a secret key, a matching public key, and a certificate of the Certification Authority on the public key. Of particular interest for privacy-protecting mechanisms for signature transport are so-called restrictive blind certificate issuing protocols, in which the receiver can blind the issued public key and the certificate, but not a predetermined non-trivial predicate of the secret key; this part of the secret-key is said to be blinding-invariant. Restrictive blind certificate issuing protocols, and methods for applying them to privacy-protecting mechanisms for value transfer such as in particular off-line electronic cash, are described and claimed in patent application Ser. No. 08/203,231, filed Feb. 28, 1994, now U.S. Pat. No. 5,521,980.
Patent application Ser. No. 08/203,231, filed Feb. 28, 1994, and patent application Ser. No. 08/321,855, filed Oct. 14, 1994, now U.S. Pat. No. 5,521,980 and 5,606,617, respectively describe and claim restrictive blind certificate issuing protocols for secret-key certificates. Only one restrictive blind issuing protocol for public-key certificates is described in patent application Ser. No. 08/203,231, filed Feb. 28, 1994, now U.S. Pat. No. 5,521,980; all the other exemplary schemes are for issuing secret-key certificates. While these secret-key certificate issuing protocols are believed to be secure when executed sequentially, they should not be run in parallel when different blinding-invariant numbers are involved: that would enable an attack in which completely blinded triples can be retrieved. In other words, even the presumed blinding-invariant numbers can then be blinded.
For highly demanding transaction environments it is believed to be desirable to have certificate issuing protocols that are secure even when they are executed in parallel. This also allows the issuing to be performed in a distributed manner without requiring coordination between the distributed issuing agents. This invention describes an inventive method for designing certificate issuing protocols that are restrictive blind even when executions of the issuing protocol are performed in parallel with respect to different blinding-invariant numbers. The inventive method can be applied to at least all the secret-key certificate schemes described in patent application Ser. No. 08/203,231, filed Feb. 28, 1994, and patent application Ser. No. 08/321,855, filed Oct. 14, 1994, now U.S. Pat. No. 5,521,980 and 5,606,617, respectively.